Engineering notes on SAST benchmarking — methodology, scoring, and coverage for measuring static analysis tools.https://blog.benchproctor.com/en-ushttps://blog.benchproctor.com/java-first-release-plan/https://blog.benchproctor.com/java-first-release-plan/BenchProctor's corpus spans nine languages, but we publish each only once it's verified production-ready. Java ships fully to the public before the end of June 2026 — here's why we're not dumping all nine at once.Sat, 30 May 2026 00:00:00 GMTreleaseroadmapBenchProctorhttps://blog.benchproctor.com/how-benchproctor-scores-sast-tools/https://blog.benchproctor.com/how-benchproctor-scores-sast-tools/The whole scoring model is a confusion matrix and one subtraction. Here's how true-positive and false-positive rates become a single number, why we average per category, and how the benchmark checks itself.Thu, 28 May 2026 00:00:00 GMTscoringmethodologyBenchProctorhttps://blog.benchproctor.com/why-static-sast-benchmarks-rot/https://blog.benchproctor.com/why-static-sast-benchmarks-rot/A frozen benchmark measures memorization as much as analysis. Here's the failure mode, and how rotating the corpus on a seed keeps scores honest without breaking comparability.Sun, 24 May 2026 00:00:00 GMTmethodologybenchmarkingBenchProctorhttps://blog.benchproctor.com/introducing-benchproctor/https://blog.benchproctor.com/introducing-benchproctor/A polyglot, anti-leakage, quarterly-rotated corpus for measuring how accurately a static analysis tool actually finds vulnerabilities — and how often it cries wolf.Wed, 20 May 2026 00:00:00 GMTannouncementmethodologyBenchProctor